httpd-dev mailing list archives

Okay, Brandon. I'll jump in and make a fool of myself.
First, the form of .htpasswd files does not matter for
digest authentication. It uses different files.
Second, the server does not need to know the password
to authenticate credentials. The credentials are a md5
hash of two hased components:
H( H(A1) + ":" + nonce + ":" + H(A2) )
where A1 = user-name + ':' + realm + ':' + password
and A2 = method + ':' + requested-uri
So all the server has to store is H(A1). When the credentials
come across, compute this and compare. This is stored in a
different file format as folows:
user:realm:H(A1)
To crack this, you would need to know the password. And if you
knew that, there's nothing that can be done.
One final question. Brandon, you state that access to the password
file, .htpasswd, will compromise this system. I don't see how. It is
not enough to know the md5 algorithm. You must know the password
to recompute H(A1). If passwords are stored one-way crypted in
.htpasswd, how does access to .htpasswd help you?
Thanks
Stan
NCSA